Security Pillar

The Security pillar of the Azure Well-Architected Framework focuses on protecting your workload against threats and vulnerabilities. Security must be considered at every layer of your architecture — from identity and access management to network security, data protection, and application security.

---

Design Principles

Zero Trust

The Zero Trust model assumes that no user, device, or network is inherently trustworthy. Every request must be verified explicitly, regardless of where it originates. The three principles of Zero Trust are:

1. Verify explicitly — Always authenticate and authorise based on all available data points (identity, location, device, service, data classification, anomalies)
2. Use least privilege access — Limit user and service access to only what is needed, for only as long as it is needed
3. Assume breach — Minimise the blast radius and segment access. Verify end-to-end encryption. Use analytics to detect threats and improve defences

Defence in Depth

Security should be implemented in multiple layers so that if one layer fails, the next layer provides protection:

Physical Security (Azure data centres)
  |
  Identity & Access (Entra ID, RBAC, MFA)
    |
    Network Security (NSGs, Firewall, Private Endpoints)
      |
      Application Security (input validation, authentication)
        |
        Data Protection (encryption at rest and in transit)

No single control is sufficient. A combination of preventive, detective, and corrective controls provides the strongest security posture.

---

Identity and Access Management

Identity is the primary security boundary in the cloud. Proper identity and access management is the foundation of cloud security.

Microsoft Entra ID

Microsoft Entra ID (formerly Azure Active Directory) is Azure's cloud-based identity service. Use it for:

• Single sign-on (SSO) across Azure, Microsoft 365, and thousands of SaaS applications
• Multi-factor authentication (MFA) — require a second form of verification beyond passwords
• Conditional Access — enforce policies based on user, device, location, and risk level
• Privileged Identity Management (PIM) — just-in-time, time-limited elevation for administrative roles

Role-Based Access Control (RBAC)

Azure RBAC controls what users and services can do with Azure resources:

Built-in Role	Description
Owner	Full access, including the ability to assign roles
Contributor	Full access except role assignment
Reader	View-only access

Best practices:

• Assign roles to groups, not individual users
• Use the most restrictive role that meets the requirement
• Assign at the narrowest scope possible (resource > resource group > subscription)
• Use custom roles when built-in roles are too broad

Managed Identities

Managed identities eliminate the need for credentials in your code. Azure automatically manages the identity lifecycle:

• System-assigned — tied to a specific Azure resource; deleted when the resource is deleted
• User-assigned — a standalone identity that can be shared across multiple resources

Use managed identities for service-to-service authentication (e.g., an App Service accessing Key Vault or a Function App connecting to a database).

---

Network Security

Network Segmentation

Segment your network to limit the blast radius of a breach:

• Use subnets to separate workload tiers (frontend, backend, database)
• Apply NSGs to restrict traffic between subnets
• Use Azure Firewall for centralised, rule-based traffic filtering

Private Endpoints